10.3 Record at least the following audit trail entries for all system components for each event:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource.
10.3 Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:
10.3.1 Verify user identification is included in log entries.
10.3.2 Verify type of event is included in log entries.
10.3.3 Verify date and time stamp is included in log entries.
10.3.4 Verify success or failure indication is included in log entries.
10.3.5 Verify origination of event is included in log entries.
10.3.6 Verify identity or name of affected data, system component, or resources is included in log entries.
By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how.